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A user U sends a registration request to the 
central authority CA 
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CA generates randomly an entry in the dynamic 
authentication key table (CA DAK [U]) and sends 
a copy of it to U, via a secure channel 
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CA starts a daemon to regenerate 
CA_DAK[U] dynamically every &t, and to 
maintain a number-regeneration-counter 
CAJDAKJfRC [U] 
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U starts a daemon to regenerate DAK 
dynamically every bt> and to maintain a 
number-regeneration-counter DAKNRC 
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Parent Process (Key management 
daemon): regenerates the user's 
dynamic authentication kev forever. 



Parent Process: forks a child 
communication process upon 
every connection reauest. 
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CA synchronizes with both users 



i iln case of synchronization failure, terminate all child processes 
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In case of authentication failure, terminate all child processes 
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Randomly generate a session key DSK . 
and send it to each user encrypted with I 
aligned HashDAKVec of each user | 
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CA receives a dynamic session key generation request 
from a user U s to communicate with user U di along 
with its frozen U S _DAKJJRC and h(DAKJNRC) 
encrypted with the shared auxiliary key. 



CA forks a child communication process, which asks U d to send its 
DAKNRC, h(DAKNRC) encrypted with the shared auxiliary key. 
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After verifying the integrity of DAK NRC (via the h function, receive a snapshot copy of 
CADAK [£/J and CAJDAK [U d ] and their counts CA_NRC[U g ] and CA_NRC[U d ]from 
their corresponding daemon. Then, CA aligns with U s and U d (Fig. 7) 
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CA ignores the last synchronization 
effects of the non-synchronized user, 
sends an "ABORT" message to both 
users, and terminates its child process, 




CA authenticates both U s and U d 
(FIG. 8a) 




CA ignores the last synchronization 
effects of the non-authenticated 

user, sends an "ABORT" message 
to both users, and terminates its 
child process. 



CA generates a dynamic session key DSK and sends a "SESSION_KEY" message to 

U 5 and U dy including DSK encrypted by each user's dynamic authentication key 
(HashjCAJ)AK [C/J_Vec and HashJOAJ)AK [U d ]_Vec). The DSK along with the 
frozen/snapshot DAKs, at both user and CA nodes, are used as a new state, in the 
DA K regeneration process, by the key management daemons. Then, CA's child 
communication process terminates. 
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CA_ DAKNRC [U]= 
U DAK NRC1 






Report failure to synchronize 



CA performs ( U_DA KNRC - 
CA DA KNR C [U\) dynamic key 
regeneration on CADAK [U], in order to 
synchronize with (/. 




CA sends a "SYNCHRONIZE" message to U 9 
including x=(CA_DAK_NRC [U]- 
U DAK NRC) and its hash value encrypted 
with the auxiliary key, E(x, h(x)), for U to 
perform dynamic key regeneration on its DAK, 
to synchronize with CA, 



Report failure to 
synchronize 




FIG. 7 
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CA generates nonce N and sends (E X {N), E 2 (N)) to U including 
"AUTHENTICATE" message (FIG. 14), where E } (N) and E } (N) are the encryption 
of Abusing Hash_CA_DAK[U]_Vec x and Hash_CA_DAK[U]_Vec 2y respectively. 




CA decrypt £j(AT) and E 4 (N) using the Hash_CA_DAK[U]_Vec 2 and 
Hash_CA_DAK[U]_Vec 4 to get D 3 (E 3 (W)) and D 4 (E<(W)y 
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Report successful 
authentication of user (/by CA. 



Report failure to 
authenticate Uby CA 
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Resume FIG. 6 
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C/ decrypts and E 2 (N) with Hash_DAK_Vec x and 

Hash_DAK_Vec 2 , to get D,(E,(N)) and D^E 2 (N)), respectively 
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Successful authentication of C4 by U. 
Acknowledge to CA, including a nonce N" 
encrypted with Hash_CA_DAK[U]_yec^ and 
Hash_CA_DAK[U]_Vec 4 , E 3 (]ST) and 
E 4 (W), respectively. 



Failure to authenticate CA 
by £/, abort connection y 
establishment. 
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CA experiences shut-down event. 
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U system experiences shut-down event. 



CA sends a "freeze-Z^A'-regenerating" 
message to all previously subscribed users. 



U sends a "freeze-Z)/4/C-regenerating" 
message to its CA. 
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CA saves all DAKs into a temporary file. 



U saves its DAK into a temporary file. 





CA reboots after a time x, reloads DAKs ^ f 
from temporary file, and asks all registered 
users to send DAK NRC. 
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IPs system reboots after a time t, reloads 
DAK from temporary file, and sends its 
DAK NRC to the CA. 



For every registered user U: 
Synchronize (CA, U), to obtain the same 
DAK at their sites (FIG. 7) 



Synchronize (Cv4, £/) 
(FIG. 7) 
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Use the same obtained DAK to authenticate 
(7 and CA to one another 
(FIG. 8) 



Use the same obtained DAK to authenticate 
U and C4 to one another 
(FIG. 8) 



CA sends a "resume-D^AT-regenerating" 
message to the successfully synchronized 
users. Other users asked to establish a new 
registration. 




In case of successful synchronization, U 
sends a "resume-£>/i /^-regenerating" 
message to CA . Otherwise, U establishes a 
new registration with the CA. 
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Register to CA (FIG. 2). 



Fork a child process to freeze DA K generation and to send session 
establishment request to the CA that includes the frozen DAKNRC and 
the destination user's (U d ) identification. 



-90 



Start handshaking with the CA. 
(FIG. 14) 



Resume from Fig 14, i.e., 
handshaking is a success; receive 
initial DSK 



Using DSK as a seed, generate n dynamic session keys 
(DSK h . . ., DSK n ) each of the same size as the DSJCs size. 
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Extract the next n records (Record ), . . ., 
Record n ), each of the same size as the 
DSK size. 




Encrypt data Record t using hash vector of 
corresponding dynamic session key DSK h (PVi) 
resulting in a cipher Ciphen, for i=7 n. (FIG. 1 1) 
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Regenerate a new DSK t , for i=l, 
(FIGS. 15a and 15b) 
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Transmit the ciphers: Cipher it 
for /=/,...,« 
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LJd receives a request of communication with 
U.fromCA. 



Fork a child process to stop regenerating 
DAK', send the frozen DAK NRC to CA. 



Start handshaking with the CA. (FIG. 14) 
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Receive the cipher records: Cipher h 
for i=/,...,/j 



Decrypt cipher records Cipher^ using hash vector 
of corresponding DSK,, (PVi) resulting in a 
decrypted record Record,, for /=/,... f n. (FIG. 13) 



Restore the original message data by 
assembling decrypted records (Record } , 
Records 



Using AS/w as a seed, generate n new DSKs (DSK h 
DSK„) each of the same size as the DSK size. 



Regenerate new DSK iy for i=l, ...,« 
(FIGS. 15a and 15b) 
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Resume from Fig 14, i.e., y 
handshaking is a success; received—*' 
initial DSK 
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Start handshaking with CA 
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Regenerate 
dynamically DAK for 
x times (FIG. 3). 
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the CA 
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Authenticate CA 
(FIG. 8b). 
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Abort Connection 
Request, and 
terminate the 
communication 
child process. 



Return the aligned DAK and the 
new DSK to the parent daemon in 
order to initialize the DAK 
regeneration state. 



Resume connection establishment 
at the user (source or destination) 
side (FIG. 10 and FIG. 12) 
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Keep normal decryption 

process, and buffer 
decrypted data records 



YES (start integrity 
validation process) 



Encrypt D,'° +R " 2 with the hash vector pyf"* 
to yield C integri ^, and then send it to the 
destination. ^ 
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Wait for destination to send a cipher C\ ntegrity 
for integrity check. 



Decrypt C\ ntegrity with the hash vector 
P^^to yield D\ ntegrity . 




Redo the encryption and transmission 

starting from D{°, using DSK- 0 and 
PV/° as initial dynamic keys, and start 
a new validation period. 
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to <- t 0 + R 
Start a new validation period. 
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fES (start integrity 
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Keep normal decryption 

process, and buffer 
decrypted data records 



Encrypt Z>/° +R_1 with the hash vector PK/° +R+1 
to yield C\ megrity , and then send it to the 
source. 



j. 



-332 



534 



Wait for source to send a cipher C imegrit y 
for integrity check. 



Decrypt C integrit y with the hash vector py i t0 + K 
to yield D integrity . 
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Reject the "R" buffered data records, 
use DSKf 0 and PV/ 0 as initial dynamic 
keys, and start a new validation period. 
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Accept the "R" buffered data records, 
and start a new validation period. 
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